Bust-out fraud: How it works and how to stop it

At 20%, credit card fraud was one of the most common types of fraud reported by bank, fintech, and credit union leaders in Alloy’s 2025 State of Fraud Benchmark Report. This follows a trend from last year's report, in which 21% of financial leaders ranked bust-out fraud as the most frequent and costly fraud type. 

In bust-out fraud, a fraudster wins an organization's trust to extract financial value, and then vanishes without paying. This scam typically affects credit card companies and other organizations that offer lending services. Financial institutions and fintechs may divert significant resources from productive activities to close down accounts and chase after funds whenever a formerly “good” customer busts out.

Although bust-out fraud is widespread, financial organizations often struggle to identify and prevent it. To protect themselves and their customers, financial organizations must learn the signs of bust-out fraud and equip themselves with the best tips for mitigating it.

Bust-out fraud works like a hit-and-run

Bust-out fraud attacks are like a hit-and-run; they’re fast, disorienting, and impactful. 

But unlike a hit-and-run, bust-out fraud is usually part of a heavily considered scheme designed to maximize impact. The goal of a bust-out fraudster is simple: to steal as much money as possible without being detected. 

Signs of a bust-out scheme

Bust-out fraud schemes share similar characteristics. They typically go like this: 

1. Bust-out fraud can sometimes be first-party fraud, where a fraudster uses their actual identity to extract value from a financial institution or fintech without ever intending to repay. But in most cases, a fraudster opens an account using a stolen social security number or other personally identifiable information (PII) from a victim with a clean credit report. 
2. They make small purchases and timely payments to build trust, disguising their suspicious activity with seemingly normal behavior that maintains the quality of the victim’s credit profile.
3. Once they’ve earned a high credit limit, the fraudster "busts out" by maxing out the established credit line.
4. The fraudster disappears without intention of ever paying back the funds, leaving the organization with significant losses.

Fraudsters who use a stranger’s stolen identity to commit fraud may buy or sell account information belonging to individuals with good credit scores and high transaction limits on the dark web to commit bust-out fraud. They may also stockpile synthetic identities, building months or years' worth of realistic credit history as a cardholder. 

While people and businesses with high lines of credit are ideal targets for bust-out crime rings, financial criminals may also target deposit accounts without overdraft fees or embedded financial services like buy now, pay later (BNPL).

Bust-out fraudsters are well-equipped

It’s common for a fraudster equipped with stolen identities to set up several credit card accounts simultaneously in the leadup to a bust-out fraud attack. By establishing a trustworthy repayment history across multiple identities, fraudsters can widen their profits without being seen as a credit risk. Appearing like responsible borrowers gives bust-out fraudsters the best chance of making off with a hefty sum.

A successful bust-out may involve faking financial statements, fabricating trade and payment references, and stealing a small or medium-sized business’s identity. Bad actors may use virtual or fake office addresses for credit card applications, leveraging online services for false phone numbers, websites, and answering services. Thanks to generative AI, it’s easier than ever for fraudsters to forge official business registrations like LLCs and licenses.

Bust-out fraud is hard to classify and attribute

Bust-out fraud often begins as an account takeover (ATO) attack or identity theft. This type of fraud attack is also known as third-party fraud: when a bad actor uses someone else’s identity or credentials to commit fraud without their consent.

Third-party fraud is as devastating for customers as it is for financial institutions and fintechs. But organizations may erroneously classify all or most bust-out fraud as first-party fraud, pointing a finger at their customers instead. 

With bust-outs and identity theft going underreported, financial organizations must be wary of the tendency to overgeneralize. Last year, financial institutions and fintechs attributed a majority of fraud attempts to sophisticated crime rings. At 14%, financial organizations determined that it is less common for fraud attempts to be committed by customers who act of their own accord.

Many fraud detection systems rely on spotting unusual spikes in transaction speed. But criminal rings know how to engineer fraud attacks that keep just below velocity thresholds by exploiting the "gray zone." All it takes is a little bit of good timing for experienced fraudsters to bust out before red flags are raised.

What is the impact of bust-out fraud?

Effects on the organization

A single bust-out fraud attack can cost a financial organization tens or even hundreds of thousands of dollars in direct fraud losses. Indirect consequences are also severe and vary by sector. High rates of bust-out fraud can damage a financial institution or fintech’s reputation as well as its relationships with customers, financial partners, payment processors, and regulators. 

Fintechs, for instance, may experience heat from sponsor banks, who may view repeat bust-out fraud attacks as high-risk and terminate their partnership altogether. Credit card issuers and networks may levy fines or cut off card processing privileges entirely. And compliance fines can shutter embedded finance operations, costing all parties a revenue stream. 

In the aftermath of a bust-out fraud scheme, financial institutions and fintechs will often need to divert resources from revenue-generating activities to chase down delinquent account owners. Even with ample resources, these collection efforts may be fruitless. Fraudulently acquired gains can vanish without a trace, leaving no way for financial institutions and fintechs to recover lost funds.

Consequences for the customer

Bust-out fraud schemes can seriously affect identity theft victims — the real people whose identities were used to finance fraudulent spending sprees. Unless a victim can prove that an account in their name is fraudulent, they may be responsible for repayment. 

Identity theft victims who have suffered from bust-out fraud must undergo a time-consuming process to restore their damaged credit and clear their names. Often, this means account closures that limit that person’s access to financial resources. 

Beyond the immediate inconvenience of initiating police reports, submitting paperwork, and settling disputes with creditors, victims of bust-out fraud may be unable to obtain loans, enter rental contracts, or even get hired in the future.

Why the rise in bust-out fraud?

Fraud experts and academics often use the fraud triangle framework to determine what causes fraud risk. The triangle posits that individuals are more likely to engage in fraud attempts when three key factors align: financial pressure/motivation, opportunity, and rationalization.
 

Macroeconomic factors contribute substantially to the motivation and rationalization behind bust-out fraud. According to the International Monetary Fund, the COVID-19 pandemic pushed 120 million people into extreme poverty. Although beneficial for many, new ways of remote working also point to exacerbated inequalities that make fraud rationalization easier. With more financial offers on the market than ever, fraudsters have been busting out and cashing in under prime circumstances.

How do you stop bust-out fraud?

Financial institutions and fintechs can significantly reduce bust-out fraud risk by implementing a layered prevention strategy:

1. Apply robust identity verification to all new accounts

Use traditional and alternative data sources to verify new accounts during onboarding and throughout the customer lifecycle. Your channels should be unified so that identity data is accessible whether your customers choose to conduct business with you in-branch or online.
 

2. Establish a friction-right onboarding process

Organizations often try to make onboarding frictionless to avoid deterring legitimate customers. But this can also make it too easy for fraudsters to slip through. Finding the right balance between security and convenience is an ongoing challenge, but critical to keeping fraudsters out of your system.
 

3. Monitor for red flags like sudden identity and behavior changes

Identify anomalies at onboarding and in real-time throughout the customer lifecycle. Watch out for changes to PII or changes in activity, such as sudden large purchases, an increase in velocity, or deviation from peers. Monitor accounts for identity changes (this could indicate an account takeover) using the broadest possible data set, and flag suspicious applications and transactions that need extra care for manual review. Implement step-up authentication for risky behavior, allowing legitimate customers to self-resolve. 

4. Leverage machine learning and artificial intelligence to stop fraud in real-time

Use machine learning algorithms to automate decision-making processes. This will free up your organization’s time and resources while enhancing fraud detection capabilities. Machine learning algorithms can help identify sophisticated fraudulent activities like synthetic identity fraud and make it easy to adapt workflows quickly in response to fraud landscape changes or market shifts. By leveraging machine learning insights backed by a broad data set, your organization can quickly detect anomalies, unusual patterns, and potentially fraudulent activities.
 

5. Practice continuous testing

Continuously test new data sources and workflow optimizations to keep ahead of evolving fraud schemes.. Alloy's Identity and Fraud Prevention Platform has a nimble software development kit (SDK) that makes it easy to test new data sources and iterate upon them before going live with them.
 

6. Manage compliance

Regulatory requirements can protect consumers and financial institutions from becoming fraud victims. You can meet these requirements by offering a transparent view into the decision-making process and enabling quick adaptation to legislative changes. Solutions that blend identity and fraud prevention can help strike a balance between risk management and scalable growth.
 

7. Adopt a holistic, identity-centric approach to fraud prevention

Financial institutions and fintechs are pivoting strategically to omnichannel solutions that provide a holistic view of fraud across all touchpoints. By looking at the big picture, not just individual data points, your organization can track and report fraud from origination to execution while also identifying fraud methodology.

This comprehensive approach allows you to apply targeted fraud prevention across different digital and physical channels. By adhering to a consistent set of identity decisioning standards and leveraging data from all touchpoints, you will be better prepared to address each channel's unique vulnerabilities as they arise and respond more effectively to evolving fraud threats.
 

With the right approach, you can prevent bust-out fraud attacks

As payment systems get faster, the window for lenders to detect and stop bust-out fraud and other fraud types continues to shrink. Sixty percent of financial institutions and fintechs experienced a rise in fraud attacks in consumer and business accounts last year, up 3% from the year prior.
 

As fraudsters continue to use speed and anonymity for gain, financial institutions and fintechs must decide how much fraud risk they will incur and which processes they will deploy. By looking closely at bust-out fraud and applying a comprehensive approach to fraud prevention, financial organizations can safeguard against this threat.